Blacklisting IPs

Erik Norgaard norgaard at locolomo.org
Mon Jan 10 12:10:48 PST 2005 

Louis LeBlanc wrote:
> On 01/10/05 12:20 AM, artware sat at the `puter and typed:
>>My 5.3R system has only been up a little over a week, and I've already
>>had a few breakin attempts -- they show up as Illegal user tests in
>>the /var/log/auth.log... It looks like they're trying common login
>>names (probably with the login name used as passwd). It takes them
>>hours to try a dozen names, but I'd rather not have any traffic from
>>these folks. Is there any way to blacklist IPs at the system level, or
>>do I have to hack something together for each daemon?
> 
> 
> I get this all the time too.  I'm sure anyone with a *nix system on the
> net does.

I have two boxes, one allows password authentication, and I also see 
these attempts. the other only accepts login with ssh-keys and I see no 
such activity.

> I'm sure after reading this, someone else will post another favorite
> password generation method, including the numerous ports available - I'd
> like to see one that checks the security of a password rather than just
> generating them.

yeah, close your eyes, hit the keyboard with all 10 fingers and your 
nose and see what comes out: ac0e48 amæifljasc4å0w(V4 ok - I admit, I 
didn't hit the keyboard with my nose, but it's absolutely not a 
dictionary word :-)

> As for the firewall and the originating IP, I follow a plain process:
> 
> Check the whois record of the offending IP
>   If the IP is in Asia, Russia, or Nigeria, I drop the CIDR spec into my
>     firewall <BLOCKED> table and never hear from anyone on the network
>     again.  The CIDER spec is part of the whois record
>   If the IP is in Western Europe or North America, I notify the abuse
>     address to inform them they either have a cracker or a cracked
>     system.
> 
> This practice has reduced these attempts considerably.  Each time I see
> another, I add it to the blocked table (I use pf, not ipfw).

If it's a problem, try to reverse your thinking, why are you allowing 
access from everywhere in the first place? It is far easier to list the 
ranges you know your users will be logging in from than try to block 
these occasional events that never happens from the same source.

If you are serving a university campus it's likely not an option to 
block of specific countries or continents, but if it's your SOHO I see 
no reason you should leave the doors open from ranges you know can only 
be intruders.

If interested, I have a script for picking out countries from the 
delegation lists:

    www.daemonsecurity.com/src/ip-rules.pl

Go ahead and hack it to create the rules you need.

Cheers, Erik

-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list